How should you secure your network and PC? Depends on how you use them.

There are a few things that are guaranteed to keep your computer and data safe. Don't connect to a network—ever. Keep the machine physically secure in a lead-lined room. Remove the hard drive and store it in a safe. Epoxy over the USB ports and pull out the DVD drive. Keep the keyboard locked in a drawer. Guard the room with dragons. The PC itself should be kept behind the starting defensive lineup of the 1976 Pittsburgh Steelers.

Most of us—those who consider PCs necessary and unconnected PCs pointless—strive to find a balance of utility, convenience, and safety.

Of course, there are simply loads of computer users out there, connected to one another via the Internet and local networks. We've broken out a few kinds of users to show you the particular type of security each special case requires, although it wouldn't hurt anyone to read through all the sections. We have tips for less-experienced users , for people who need to share files, giving others access to their hard drives; for parents, whose children may be savvier users than they are but who know that kids tend to be less concerned about security; for online gamers, who typically have to subvert their computers' security at least a little bit; and for Mac users, whose systems are inherently more secure than those of PC users—and who can be frightfully careless as a result. Finally, because any type of user can use a laptop, some tips for people whose PCs are definitely not kept in lead-lined rooms, guarded by linebackers.

Newbie Neighbors (or Friends, or Relatives, or…You)

Some security rules don't change. Here are our basic, don't-go-online-without-'em tips.

Install and use a security suite.

Use strong passwords for your operating system, e-mail, and all online log-ons. A strong password:
is six or more characters long; contains a mix of letters, numbers, and symbols;is not the name of your dog or cat; and contains words not found in the dictionary.

Keep your system patched—let your operating system and security apps update themselves regularly.

Disable file and printer sharing. In Windows XP, open Network Connections from the Control Panel. Right-click on the connection and choose Properties. In the resulting dialog, uncheck the box labeled File and Printer Sharing for Microsoft Networks.

In Vista, right-click on the Network icon in the system tray or open Network and Sharing Center from the Control Panel. Under Sharing and Discovery, choose Off for File sharing or Printer sharing, depending on your needs.

Never open e-mail attachments from people you don't know—and call to ask about attachments you weren't expecting from people you do know. Corollary: Don't forward e-mail attachments from people you don't know. Attached malware does not pop up and triumphantly announce itself. If you've opened an infected attachment, you won't necessarily know it right away.

Realize that the Internet is a dangerous place. Be suspicious. Don't visit bad neighborhoods or places claiming to give away things you'd normally have to pay for.

Never give out personally identifying information, or your password, to a stranger (this includes someone claiming to represent tech support).

Make sure that all shopping and banking transactions are SSL encrypted. You should see an icon of a lock in the bottom of your browser window or next to the location window when it comes time to type in your personal and credit card information.

Make regular backups of important files and folders.

Encrypt important files and folders. Compression utilities such as WinZip will encrypt archive contents, and so will the Windows (XP and later) option Send To | Compressed (zipped) Folder you can access by right-clicking on a file, or files, or a directory.

Windows Shares

Any general security information should include a warning to disable file and printer sharing unless you need them enabled. For those people—a growing number—who share files within their own networks, here are some precautions to take:

Never share more than you have to. Never, ever share the root directory or the Windows directories.

Start shares when you're going to use them and stop sharing when you're done. You don't leave a door open when you're not walking through it.

Create a restricted account and let other users connect using that user name and password. This prevents you from having to give out your user name and password and separates others' privileges from yours.

Give specific users privileges to read, write, or both, on a directory-by-directory, or even file-by-file basis.

Limit the number of simultaneous users allowed to a realistically low number, like 1 or 2.

P2P Shares

It's none of our business what you download from the Internet, but you should know that around genuine content lurks a miasma of malware. Also, just as the huge base of Windows users makes that platform particularly ripe for attack, the large "community" of file sharers makes file-sharing environments appealing for exploitation.

Don't share files with people you don't know. Torrent technology is awesome for wide-scale sharing, but you can also set up torrents for your friends' eyes only. To make a torrent, first package whatever you are sharing into a single directory or archive file. Then, in your Torrent client, click File | Create a new torrent (or Make Torrent, or something along those lines depending on your client). Select File or Directory and then browse to the location of the file or directory you would like to share.

From here the options should be clear. Create a private (or nonpublic, or embedded) tracker, which is intended for people wishing to share with a small group for a short period of time. The embedded tracker URL is http://your_ip_address:port/announce (where your IP is your computer's IP address and the port is your P2P software's listening port). Your client will have more specific information available online. You will also have to enable private trackers, which will depend on your client. For example, in uTorrent, the embedded tracker must be enabled by the following process: Click Options | Preferences | Advanced, then set bt.enable_tracker to true.

If you must download from an unknown source, make sure to scan the files for malware before viewing or listening to them.

If you try to open a downloaded video and get a prompt that you need to download a proprietary codec from a specific site, don't do it. Delete the file.

Keep your anti-malware and P2P software updated—especially the P2P client, because they tend to need frequent patches to address security vulnerabilities.

Parents

No technology is a substitute for sitting down with your kid and discussing how to browse the Web, send IMs, play games, and e-mail safely. Better to explain about the birds and bees—and online predators—than have him learn it all anywhere else. These tips assume you're already protecting the PC with a standard security suite.

Create a separate log-on ID for each child. Give the kids restricted privileges.

Get to know parental controls. If you use Vista, they're included in your operating system. If not, there are a number of parental-control apps meant to help keep kids safe and focused while they're on the computer. In Vista, use the Activity Viewer feature to monitor your children's use of the Web, and to adjust parental-control settings.

Although it can be daunting, don't neglect Web, e-mail, and instant-message content filtering. If filtering isn't part of your parental-control solution, try OpenDNS, which is free and lets you block sites known to have adult content. Some home broadband routers come with built-in content-filtering options. They may be found on the Security tab, under Access Restrictions, or in another section, depending on your router. If you can't find them, try your router's help file. And Vista's parental-control rudimentary Web-filtering options.

Learn about ESRB ratings, which range from EC for Early Childhood to A for Adults Only 18+. Use ESRB ratings as a guideline for purchases and explain to your child why you allow or disallow certain content. Enforce those ESRB parental-control settings on Microsoft Xbox 360, Nintendo Wii, Sony PlayStation 3 and PSP, and Windows Vista. In Windows Vista use the Parental Controls dialog to set ESRB permissions.

That said, ESRB ratings are not applicable to online game play. There is no way to control what people say or do in an online world, although you can at least restrict some communications.

On the consoles:

Control buddy lists. Each platform has its own way of doing this. Ban and report foul language.

Nintendo Wii is the most locked-down console. You can set a PIN to control content and Internet access, and the Friend Code system makes it virtually impossible to communicate with anyone without exchanging long numeric codes.

Gamers

If you play online games—think Quake, not Zuma—you have to act as a network engineer to open network ports while maintaining PC security. At least, that's what you have to do if you want to play safely. Anyone can simply turn off security or open all the ports on their firewall, but—chestnut that this is—this really is like leaving your doors and windows unlocked. A proper firewall policy allows traffic through only where necessary.

To play securely, you can take the easy way out and look for security suites with gaming functionality. Most suites have a game, or full-screen, mode, which will suppress alerts and resource-hogging scans while you're playing. And some build in modified firewall settings for recognized games, BitDefender Internet Security 2009, McAfee Total Protection 2009, and Trend Micro Internet Security Pro v2 among them.

Then there's the hard way. You can manage those settings yourself. Note the instructions for software and hardware firewalls. You should be running both.

Software Firewalls

First, whitelist the application that launches the game. Depending on the software, you're looking for options like "exceptions" or "allow applications." You may also have to open specific ports in your hardware firewall (see below) to communicate with other gamers. The game's help or FAQ will tell you which ones.

Hardware Firewalls

Before you begin, determine which ports need to be opened. You may have to read the manual or check online help to find this out. The game will probably have inbound and outbound traffic on TCP and UDP ports. Your firewall may not allow you to configure inbound and outbound traffic independently, but if it does, the additional specificity will make you that much safer. A full-featured firewall also lets you open ports based on origination and destination IP address. This way you can communicate with friends and shut out everyone else—you'll just need everyone's IP address.

Now, log on to your router's configuration screen and navigate to the port administration screen. Note that it will probably force you to enter a range of ports. If this is the case and you want to enter only a single port, then use that number for the lower and upper limits of the range; for example, enter 25–25. Make sure to save the configuration to your router.

One alternative is to connect your computer to the DMZ port, which connects directly to the Internet with no security and is isolated from your internal network. Another is to set the port to which your computer is already connected as the DMZ port, but only while playing the game. This is not ideal but could be a good compromise between freedom and protection. Either way, moving your PC into the DMZ would remove security rules from your game traffic. Moving back onto the LAN puts you back behind the firewall.

Also, be aware that security violations and hacking are on the increase in online games. Avatars and names don't represent actual gamers; just because you're there to have fun doesn't mean you can let your guard down.

Mac Users

Contrary to popular belief, Macs are not immune to attacking, hacking, and malware. There has been an increase in Mac malware, though it's still negligible compared with Windows malware—but security isn't all about malware. Mac users are no more immune than anyone else from social engineering attacks, and they still need to protect themselves from direct attack either over a network or directly from a console. Furthermore, Macs can carry malware that doesn't affect them, spreading it to friends via e-mail attachments.

As in Vista and Linux, it's wise to restrict access to actions that require Administrator privileges. From an Administrator account, you can remove Administrator access to any other account. If you have only one account and want to restrict access, go to System Preferences | Make Another Account, make the new account an Administrator account, log out, log in using the new account, remove Administrator privileges from the original account, and log back in to the original account. Use the original account for daily duty and the second account for rare administration tasks.

Protect System Preferences from casual tampering. Go to System Preferences | Security, then

Enable Require password to wake this computer from sleep or screen saver and Disable automatic log-in.

Enable Log out after [x] minutes of inactivity if your Mac is in a public place. Be aware, though, that you may lose your work if it's not saved when you've automatically logged out.

Enable Use secure virtual memory. I'm not sure who would want insecure virtual memory. Without this enabled, your Mac may write a password to the memory that is really just a file on your hard drive.

If you're not using it, turn it off. Go to System Preferences | Sharing. Uncheck every service that you're not using. There are too many on by default.

Protect all these changes by locking them, which means that altering the options will require an administrator password.

The Keychain is a great place to store passwords. It's also the first place someone would look if they wanted your password. Open Keychain Access, then press Edit and Change Settings for Keychain. Set an idle timeout to protect your passwords when you walk away, and enable Lock on sleep so that if you suspend the machine and start it up again, your passwords will be safe. Use a different password for Keychain than your account password, so if someone gets one they won't necessarily get both.

Laptop Users

Any one of the computer users above might own a laptop, and portable computers come with their own set of security issues, because they can easily be lost or stolen. With physical access to a PC, a whole new raft of problems arises. Here are some things you can do to prepare for the worst—your laptop falling into someone else's hands.

Set a system password using your laptop's BIOS. When you boot your PC, you'll see a screen quickly pass by that says something like "For system settings press F2 [or F10 or Delete]." Press the key, then poke around until you find the system password setting. Enable it, then enter and confirm your password. Then save changes and reboot—and don't ever lose that password!

Set a Windows password.

Use a cable lock or store your laptop in the safe in your hotel room when it's not on your person.

Keep an eye on your laptop in transit. Don't put the bag down and walk away. Consider using a proximity alarm.

Keep your passwords in your head. Don't write them down on a piece of paper and leave it in a pocket or your laptop bag or—seriously—taped to the laptop itself.

If you have sensitive data, encrypt it using Windows Encrypted File System (EFS), BitLocker, or a third-party product. You can encrypt the whole drive or specific directories and files.

Run tracking software so that if the laptop is stolen and connected to the Internet, it can be retrieved. Some of these programs can wipe the hard drive clean if ordered to do so remotely.

Source:
http://www.pcmag.com/article2/0,2817,2334856,00.asp

This post has been edited by ericpires: Nov 19 2008, 10:47 AM